Uncovering NETWIRE Malware - Discovery & Deobfuscation

John Hammond
John Hammond
90,060
0
Published 2022-02-18
Make security 100x better in 2022 with Snyk's "The Big Fix" event! Get started here → j-h.io/snyk-bigfix

Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ j-h.io/patreonj-h.io/paypalj-h.io/buymeacoffee
Check out the affiliates below for more free or discounted learning!
🖥️ Zero-Point Security ➡ Certified Red Team Operator j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# j-h.io/c2dev
👨🏻‍💻7aSecurity ➡ Hacking Courses & Pentesting j-h.io/7asecurity
📗Humble Bundle ➡ j-h.io/humblebundle

🌎Follow me! ➡ j-h.io/discordj-h.io/twitterj-h.io/linkedinj-h.io/instagramj-h.io/tiktok

📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ j-h.io/sponsorship
🚩CTF Hosting Requests ➡ j-h.io/ctf
🎤 Speaking Requests ➡ j-h.io/speaking
💥 Malware Submission ➡ j-h.io/malware
❓ Everything Else ➡ j-h.io/etc
All Comments (21)
  • @plut4580
    John please do not ever stop doing this kind of videos. As a student i really love them, there super interesting, keep the great job!
  • @jonharper5919
    I love the journey John goes on in these videos. From "HOW DO THEY KNOW IT'S NETWIRE??" to "Oh here's a super unique obfuscation key that's an obvious IOC and they literally create directories named 'Netwire'"
  • @rstech10
    I appreciate the dark mode. I watch these videos on break during my night shift. LOL Great job with the content. Your dissections make it look easy.
  • @zer001
    Last week I dig into a .Net Assembly with some base64 encoded string in it. And thanks to the Videos of John I recognize the string and I know what to do with it.
  • @bbelsito
    Thank you for doing more of these! They're my favorite type of videos by you. I know you love doing CTFs because you enjoy it. Don't quit either series. Just know people love this series too
  • @securedigitsplus
    To be honest, I'm surprised that you haven't tried using Windows Terminal + SSH to connect to your remnux box for these deobfuscation videos... That'd be pretty slick.
  • @y.vinitsky6452
    Thank you John for using dark mode. I've been called a vampire since I was 17 :)
  • @kadoskreeper
    More more more! I love just learning new things. I like how you notice things that are the same. This is so cool
  • @nv_takeout
    was super excited for this vid! great watch and more valuable info! thx john
  • @cdenver
    Hell yeah! Thanks John. Love your content!
  • @DM-qm5sc
    31:40 I was getting worried that he wasnt going to upload the video
  • @letlaka8812
    I just recently discovered CTF's and John your content is GOLD! i am trying to transition into Cyber security, thank you for all the work you are doing.
  • @abdirahmann
    "dark mode for all you vampires that watch my content" 💀 am dead john 🤣🤣🤣 19:58 that gave me a good laugh and energy to finish this video 😂 soo
  • @jovanpoursamadi7477
    John, would you care to do a piece on firmware/UEFI malwares, their persistence and how to approach deobfuscation and/or removal?
  • @4Da_Tech
    Good video, good content 👌 and always something interesting hidden 👍
  • @davidmarley5577
    4D 5A is the hex representation of 'MZ', the magic string at the start of a Windows executable file.